Hi team, according to some news, an apache log4j vulnerability was founded. The affected versions are 2.0 <= Apache log4j2 <= 2.14.1. Airbyte uses one of them. So, it would be great to upgrade log4j immediately. • https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html • https://www.spigotmc.org/threads/security-releases-%E2%80%94-1-8-8%E2%80%931-18.537204/

@Lake Mossman were you doing a release?

Can we include https://github.com/airbytehq/airbyte/pull/8687

also https://github.com/airbytehq/airbyte-cloud/pull/679 on the cloud side

@Jared Rhizor (Airbyte) Thank you for quickly fixing it!

Sorry I was afk, I was planning to do a release but it looks like you took care of it. Thanks!

Yay!!

Is there any security advisory or some blog post/update published for on-prem users, that they can see which versions are affected and what to upgrade to?

The log4j PR was merged and release as part of Airbyte `0.33.8`: https://github.com/airbytehq/airbyte/pull/8688

Thanks a lot!

Hi, it would be good to upgrade log4j2 to 2.16.0. The version contains more secure implementation. https://github.com/apache/logging-log4j2/releases/tag/rel%2F2.16.0

Already available in 0.33.12-alpha!